<!DOCTYPE html>
<!--[if lt IE 7]>      <html class="no-js ie lt-ie9 lt-ie8 lt-ie7" lang="en-US"> <![endif]-->
<!--[if IE 7]>         <html class="no-js ie lt-ie9 lt-ie8" lang="en-US"> <![endif]-->
<!--[if IE 8]>         <html class="no-js ie lt-ie9" lang="en-US"> <![endif]-->
<!--[if gt IE 8]>      <html class="no-js ie lt-ie10" lang="en-US"> <![endif]-->
<!--[if gt IE 9]><!--> <html class="no-ie" lang="en-US"> <!--<![endif]-->
<head>
    <meta charset="utf-8">
    <link rel="shortcut icon" href="https://www.juniper.net/favicon.ico" />
    					    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <!--[if lte IE 9]>
        <script src="https://blogs.juniper.net/wp-content/themes/dfd-ronneby/assets/js/html5shiv.js"></script>
    <![endif]-->
    <!--[if lte IE 8]>
        <script src="https://blogs.juniper.net/wp-content/themes/dfd-ronneby/assets/js/excanvas.compiled.js"></script>
    <![endif]-->
    
	<link rel="alternate" type="application/rss+xml" title="Official Juniper Networks Blogs Feed" href="https://blogs.juniper.net/feed/">
<meta name='robots' content='max-image-preview:large' />

	<!-- This site is optimized with the Yoast SEO Premium plugin v15.0 - https://yoast.com/wordpress/plugins/seo/ -->
	<title>Linux Servers Hijacked to Implant SSH Backdoor | Official Juniper Networks Blogs</title>
	<meta name="description" content="A Control Web Panel vulnerability is being used to compromise SSH servers by injecting code via dynamic library preloading." />
	<meta name="robots" content="index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1" />
	<link rel="canonical" href="https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor" />
	<meta property="og:locale" content="en_US" />
	<meta property="og:type" content="article" />
	<meta property="og:title" content="Linux Servers Hijacked to Implant SSH Backdoor | Official Juniper Networks Blogs" />
	<meta property="og:description" content="A Control Web Panel vulnerability is being used to compromise SSH servers by injecting code via dynamic library preloading." />
	<meta property="og:url" content="https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor" />
	<meta property="og:site_name" content="Official Juniper Networks Blogs" />
	<meta property="article:publisher" content="https://www.facebook.com/JuniperNetworks/" />
	<meta property="article:published_time" content="2021-04-26T14:56:36+00:00" />
	<meta property="og:image" content="https://blogs.juniper.net/wp-content/uploads/2021/04/210226_DIGITAL_ControlWebPanelThreatLabs-v1.png" />
	<meta property="og:image:width" content="831" />
	<meta property="og:image:height" content="464" />
	<meta name="twitter:card" content="summary_large_image" />
	<meta name="twitter:creator" content="@JuniperNetworks" />
	<meta name="twitter:site" content="@JuniperNetworks" />
	<script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://blogs.juniper.net/#organization","name":"Juniper Networks","url":"https://blogs.juniper.net/","sameAs":["https://www.facebook.com/JuniperNetworks/","https://www.instagram.com/junipernetworks/","https://www.linkedin.com/company/juniper-networks/","https://www.youtube.com/channel/UCSMtl5UvvJOMkFnMrjNCrtA","https://en.wikipedia.org/wiki/Juniper_Networks","https://twitter.com/JuniperNetworks"],"logo":{"@type":"ImageObject","@id":"https://blogs.juniper.net/#logo","inLanguage":"en-US","url":"https://blogs.juniper.net/wp-content/uploads/2020/01/favicon.ico","width":192,"height":192,"caption":"Juniper Networks"},"image":{"@id":"https://blogs.juniper.net/#logo"}},{"@type":"WebSite","@id":"https://blogs.juniper.net/#website","url":"https://blogs.juniper.net/","name":"Official Juniper Networks Blogs","description":"Insights and expertise","publisher":{"@id":"https://blogs.juniper.net/#organization"},"potentialAction":[{"@type":"SearchAction","target":"https://blogs.juniper.net/?s={search_term_string}","query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor#primaryimage","inLanguage":"en-US","url":"https://blogs.juniper.net/wp-content/uploads/2021/04/210226_DIGITAL_ControlWebPanelThreatLabs-v1.png","width":831,"height":464},{"@type":"WebPage","@id":"https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor#webpage","url":"https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor","name":"Linux Servers Hijacked to Implant SSH Backdoor | Official Juniper Networks Blogs","isPartOf":{"@id":"https://blogs.juniper.net/#website"},"primaryImageOfPage":{"@id":"https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor#primaryimage"},"datePublished":"2021-04-26T14:56:36+00:00","dateModified":"2021-04-26T14:56:36+00:00","description":"A Control Web Panel vulnerability is being used to compromise SSH servers by injecting code via dynamic library preloading.","breadcrumb":{"@id":"https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor"]}]},{"@type":"BreadcrumbList","@id":"https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"item":{"@type":"WebPage","@id":"https://blogs.juniper.net/","url":"https://blogs.juniper.net/","name":"Home"}},{"@type":"ListItem","position":2,"item":{"@type":"WebPage","@id":"https://blogs.juniper.net/threat-research","url":"https://blogs.juniper.net/threat-research","name":"Threat Research"}},{"@type":"ListItem","position":3,"item":{"@type":"WebPage","@id":"https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor","url":"https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor","name":"Linux Servers Hijacked to Implant SSH Backdoor"}}]},{"@type":"Article","@id":"https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor#article","isPartOf":{"@id":"https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor#webpage"},"author":{"@id":"https://blogs.juniper.net/#/schema/person/5da1765a21c793d656622f4365641a28"},"headline":"Linux Servers Hijacked to Implant SSH Backdoor","datePublished":"2021-04-26T14:56:36+00:00","dateModified":"2021-04-26T14:56:36+00:00","mainEntityOfPage":{"@id":"https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor#webpage"},"publisher":{"@id":"https://blogs.juniper.net/#organization"},"image":{"@id":"https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor#primaryimage"},"articleSection":"Threat Research","inLanguage":"en-US"},{"@type":"Person","@id":"https://blogs.juniper.net/#/schema/person/5da1765a21c793d656622f4365641a28","name":"Asher Langton","image":{"@type":"ImageObject","@id":"https://blogs.juniper.net/#personlogo","inLanguage":"en-US","url":"https://blogs.juniper.net/wp-content/uploads/2020/09/IMG_E4494_DxO_full-1-96x96.jpg","caption":"Asher Langton"},"description":"Asher Langton is a researcher at Juniper Threat Labs who, according to Techdirt, \"has an astounding ability to sniff out frauds online.\""}]}</script>
	<!-- / Yoast SEO Premium plugin. -->


<link rel='dns-prefetch' href='//www.juniper.net' />
<link rel='dns-prefetch' href='//fonts.googleapis.com' />
<link rel='dns-prefetch' href='//s.w.org' />
<link rel="alternate" type="application/rss+xml" title="Official Juniper Networks Blogs &raquo; Feed" href="https://blogs.juniper.net/feed" />
<link rel="alternate" type="application/rss+xml" title="Official Juniper Networks Blogs &raquo; Comments Feed" href="https://blogs.juniper.net/comments/feed" />
		<script type="text/javascript">
			window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.1.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.1.0\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/blogs.juniper.net\/wp-includes\/js\/wp-emoji-release.min.js?ver=5.8.6"}};
			!function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");function s(e,t){var a=String.fromCharCode;p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0);e=i.toDataURL();return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(o=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},r=0;r<o.length;r++)t.supports[o[r]]=function(e){if(!p||!p.fillText)return!1;switch(p.textBaseline="top",p.font="600 32px Arial",e){case"flag":return s([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])?!1:!s([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!s([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]);case"emoji":return!s([10084,65039,8205,55357,56613],[10084,65039,8203,55357,56613])}return!1}(o[r]),t.supports.everything=t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(n=t.source||{}).concatemoji?c(n.concatemoji):n.wpemoji&&n.twemoji&&(c(n.twemoji),c(n.wpemoji)))}(window,document,window._wpemojiSettings);
		</script>
		<style type="text/css">
img.wp-smiley,
img.emoji {
	display: inline !important;
	border: none !important;
	box-shadow: none !important;
	height: 1em !important;
	width: 1em !important;
	margin: 0 .07em !important;
	vertical-align: -0.1em !important;
	background: none !important;
	padding: 0 !important;
}
</style>
	<link rel="stylesheet" href="https://blogs.juniper.net/wp-content/themes/dfd-ronneby/assets/fonts/dfd_icon_set/dfd_icon_set.css?ver=5.8.6">
<link rel="stylesheet" href="https://blogs.juniper.net/wp-includes/css/dist/block-library/style.min.css?ver=5.8.6">
<link rel="stylesheet" href="https://blogs.juniper.net/wp-content/themes/dfd-ronneby/assets/css/mobile-responsive.css?ver=5.8.6">
<link rel="stylesheet" href="https://www.juniper.net/assets/styles/global-nav.css">
<link rel="stylesheet" href="https://blogs.juniper.net/wp-content/themes/dfd-ronneby/assets/css/visual-composer.css">
<link rel="stylesheet" href="https://blogs.juniper.net/wp-content/themes/dfd-ronneby-child/assets/css/font.css">
<link rel="stylesheet" href="https://blogs.juniper.net/wp-content/themes/dfd-ronneby-child/assets/css/app.css">
<link rel="stylesheet" href="https://blogs.juniper.net/wp-content/themes/dfd-ronneby-child/assets/css/jnpr.css?ver=1.0">
<link rel="stylesheet" href="https://blogs.juniper.net/wp-content/themes/dfd-ronneby-child/assets/css/mobile-responsive.css">
<link rel="stylesheet" href="https://blogs.juniper.net/wp-content/themes/dfd-ronneby-child/style.css">
<!--[if lt IE 9]>
<link rel="stylesheet" href="https://blogs.juniper.net/wp-content/plugins/js_composer/assets/css/vc_lte_ie9.min.css?ver=6.0.5">
<![endif]-->
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Montserrat%3A100%2C200%2C300%2C400%2C500%2C600%2C700%2C800%2C900%2C100italic%2C200italic%2C300italic%2C400italic%2C500italic%2C600italic%2C700italic%2C800italic%2C900italic%7CRaleway%3A100%2C200%2C300%2C400%2C500%2C600%2C700%2C800%2C900%2C100italic%2C200italic%2C300italic%2C400italic%2C500italic%2C600italic%2C700italic%2C800italic%2C900italic%7CDroid+Serif%3A400%2C700%2C400italic%2C700italic%7CLora%3A400%2C700%2C400italic%2C700italic%7CRoboto%3A100%2C300%2C400%2C500%2C700%2C900%2C100italic%2C300italic%2C400italic%2C500italic%2C700italic%2C900italic&#038;subset=latin&#038;ver=1581418109">
<script type='text/javascript' src='https://blogs.juniper.net/wp-includes/js/jquery/jquery.min.js?ver=3.6.0' id='jquery-core-js'></script>
<script type='text/javascript' src='https://blogs.juniper.net/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2' id='jquery-migrate-js'></script>
<link rel="https://api.w.org/" href="https://blogs.juniper.net/wp-json/" /><link rel="alternate" type="application/json" href="https://blogs.juniper.net/wp-json/wp/v2/posts/24414" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://blogs.juniper.net/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://blogs.juniper.net/wp-includes/wlwmanifest.xml" /> 
<meta name="generator" content="WordPress 5.8.6" />
<link rel='shortlink' href='https://blogs.juniper.net/?p=24414' />
<link rel="alternate" type="application/json+oembed" href="https://blogs.juniper.net/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fblogs.juniper.net%2Fen-us%2Fthreat-research%2Flinux-servers-hijacked-to-implant-ssh-backdoor" />
<link rel="alternate" type="text/xml+oembed" href="https://blogs.juniper.net/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fblogs.juniper.net%2Fen-us%2Fthreat-research%2Flinux-servers-hijacked-to-implant-ssh-backdoor&#038;format=xml" />
<meta name="generator" content="Site Kit by Google 1.74.0" /><meta property="og:image" content="https://blogs.juniper.net/wp-content/uploads/2021/04/210226_DIGITAL_ControlWebPanelThreatLabs-v1.png" /><meta property="og:image:width" content="831" /><meta property="og:image:height" content="464" /><meta property="og:url" content="https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor" /><meta property="og:title" content="Linux Servers Hijacked to Implant SSH Backdoor" /><meta name="generator" content="Powered by WPBakery Page Builder - drag and drop page builder for WordPress."/>
<link rel="icon" href="https://blogs.juniper.net/wp-content/uploads/2020/01/favicon.ico" sizes="32x32" />
<link rel="icon" href="https://blogs.juniper.net/wp-content/uploads/2020/01/favicon.ico" sizes="192x192" />
<link rel="apple-touch-icon" href="https://blogs.juniper.net/wp-content/uploads/2020/01/favicon.ico" />
<meta name="msapplication-TileImage" content="https://blogs.juniper.net/wp-content/uploads/2020/01/favicon.ico" />
<noscript><style> .wpb_animate_when_almost_visible { opacity: 1; }</style></noscript>
<script type='text/javascript' src='//assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js'></script>
</head>
<body class="post-template-default single single-post postid-24414 single-format-standard dfd-page-title-linux-servers-hijacked-to-implant-ssh-backdoor dfd-smooth-scroll wpb-js-composer js-comp-ver-6.0.5 vc_responsive" data-directory="https://blogs.juniper.net/wp-content/themes/dfd-ronneby"  data-header-responsive-width="1101" data-share-pretty="Share" data-next-pretty="next" data-prev-pretty="prev">
							<section id="side-area" class="side-area-widget  dfd-background-dark" style="background-color: #282828; background-repeat: no-repeat;">
					<div class="dfd-side-area-mask side-area-controller"></div>
					<div class="widget-vertical-scroll">
						<div id="text-6" class="widget widget_text"><h3 class="widget-title">About me</h3>			<div class="textwidget">Nullam nec elit quis tortor aliquam venenatis a ac enim. Quisque iaculis orci ante, eu tincidunt arcu tempor vitae. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Suspendisse malesuada ante dictum, auctor elit semper, semper dui. </div>
		</div>					</div>
				</section>
			
				<meta charset="utf-8">
<sw-primary-nav>
<script type="application/json">
            {
               "logo":{
                  "label":"Juniper Networks",
                  "url":"https://www.juniper.net/us/en/",
                  "image":"https://www.juniper.net/assets/svg/jnpr-logo.svg"
               },
               "items":[
                  
                  
                    {
                      
      "trackid": "Why Juniper?",
      "label":"Why Juniper?",
      "url":"https://www.juniper.net/us/en/company.html",
      "items":[
        
            {  
               "trackid": "Why Juniper? > Why Juniper?",
               "label":"Why Juniper?",
               "url":"https://www.juniper.net/us/en/company.html",
               "items":[
                  
                    {   
                       "trackid": "Why Juniper? > Why Juniper? > Community",
                       "label":"Community",
                       "url":"https://community.juniper.net/home",
                      "target" : "_top"
                    },
                    {   
                       "trackid": "Why Juniper? > Why Juniper? > Customer Success",
                       "label":"Customer Success",
                       "url":"https://www.juniper.net/us/en/customers.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Why Juniper? > Why Juniper? > How to Buy",
                       "label":"How to Buy",
                       "url":"https://www.juniper.net/us/en/how-to-buy/form.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Why Juniper? > Why Juniper? > Industry Recognition",
                       "label":"Industry Recognition",
                       "url":"https://www.juniper.net/us/en/company/awards-and-industry-recognition.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Why Juniper? > Why Juniper? > Juniper Summits",
                       "label":"Juniper Summits",
                       "url":"https://summit.juniper.net/replay",
                      "target" : ""
                    },
                    {   
                       "trackid": "Why Juniper? > Why Juniper? > Partnership",
                       "label":"Partnership",
                       "url":"https://www.juniper.net/us/en/partners.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Why Juniper? > Why Juniper? > Thought Leadership",
                       "label":"Thought Leadership",
                       "url":"https://blogs.juniper.net/",
                      "target" : "_blank"
                    }
               ]
            }
         ]

                     },
                        {
                          
      "trackid": "Products & Solutions",
      "label":"Products & Solutions",
      "url":"https://www.juniper.net/us/en/products.html",
      "items":[
        
            {  
               "trackid": "Products & Solutions > Products",
               "label":"Products",
               "url":"https://www.juniper.net/us/en/products.html",
               "items":[
                  
                    {   
                       "trackid": "Products & Solutions > Products > Cloud Services",
                       "label":"Cloud Services",
                       "url":"https://www.juniper.net/us/en/products/cloud-services.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Products > Identity & Policy Control",
                       "label":"Identity & Policy Control",
                       "url":"https://www.juniper.net/us/en/products.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Products > Network Automation",
                       "label":"Network Automation",
                       "url":"https://www.juniper.net/us/en/products/network-automation.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Products > Network Edge Services",
                       "label":"Network Edge Services",
                       "url":"https://www.juniper.net/us/en/products/routers/mx-series/network-edge-services.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Products > Network Operating System",
                       "label":"Network Operating System",
                       "url":"https://www.juniper.net/us/en/products/network-operating-system.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Products > Packet Optical",
                       "label":"Packet Optical",
                       "url":"https://www.juniper.net/us/en/products/packet-optical.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Products > Routers",
                       "label":"Routers",
                       "url":"https://www.juniper.net/us/en/products/routers.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Products > SDN, Management & Operations",
                       "label":"SDN, Management & Operations",
                       "url":"https://www.juniper.net/us/en/products/sdn-and-orchestration.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Products > Security",
                       "label":"Security",
                       "url":"https://www.juniper.net/us/en/products/security.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Products > Software",
                       "label":"Software",
                       "url":"https://www.juniper.net/us/en/products/software.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Products > Switches",
                       "label":"Switches",
                       "url":"https://www.juniper.net/us/en/products/switches.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Products > Wireless Access Points",
                       "label":"Wireless Access Points",
                       "url":"https://www.juniper.net/us/en/products/access-points.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Products > All Products A-Z",
                       "label":"All Products A-Z",
                       "url":"https://www.juniper.net/us/en/products/products-a-to-z.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Products > End of Life",
                       "label":"End of Life",
                       "url":"https://support.juniper.net/support/eol/",
                      "target" : "_blank"
                    }
               ]
            },
            {  
               "trackid": "Products & Solutions > Solutions",
               "label":"Solutions",
               "url":"https://www.juniper.net/us/en/solutions.html",
               "items":[
                  
                    {   
                       "trackid": "Products & Solutions > Solutions > By Business Type",
                       "label":"By Business Type",
                       "url":"",
                      "target" : "",
					  "style": "subtitle"
                    },
                    {   
                       "trackid": "Products & Solutions > Solutions > Enterprise",
                       "label":"Enterprise",
                       "url":"https://www.juniper.net/us/en/it-networking.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Solutions > Cloud Provider",
                       "label":"Cloud Provider",
                       "url":"https://www.juniper.net/us/en/cloud-operator.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Solutions > Service Provider",
                       "label":"Service Provider",
                       "url":"https://www.juniper.net/us/en/service-provider.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Solutions > By Topic",
                       "label":"By Topic",
                       "url":"",
                      "target" : "",
					  "style": "subtitle"
                    },
                    {   
                       "trackid": "Products & Solutions > Solutions > 400G",
                       "label":"400G",
                       "url":"https://www.juniper.net/us/en/solutions/400g.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Solutions > 5G Networking",
                       "label":"5G Networking",
                       "url":"https://www.juniper.net/us/en.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Solutions > AI and Machine Learning",
                       "label":"AI and Machine Learning",
                       "url":"https://www.juniper.net/us/en/solutions/artificial-intelligence-for-it-operations-aiops.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Solutions > Automation",
                       "label":"Automation",
                       "url":"https://www.juniper.net/us/en/solutions/automation.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Solutions > Contact Tracing",
                       "label":"Contact Tracing",
                       "url":"https://www.juniper.net/us/en/solutions/contact-tracing.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Solutions > Data Center",
                       "label":"Data Center",
                       "url":"https://www.juniper.net/us/en/solutions/data-center.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Solutions > Metro",
                       "label":"Metro",
                       "url":"https://www.juniper.net/us/en/solutions/ip-transport-solution/metro.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Solutions > SASE",
                       "label":"SASE",
                       "url":"https://www.juniper.net/us/en/solutions/sase.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Solutions > SD-WAN",
                       "label":"SD-WAN",
                       "url":"https://www.juniper.net/us/en/solutions/sd-wan.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Solutions > Security",
                       "label":"Security",
                       "url":"https://www.juniper.net/us/en/security.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Solutions > Segment Routing",
                       "label":"Segment Routing",
                       "url":"https://www.juniper.net/us/en/solutions/automation/segment-routing.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Solutions > Wired & Wireless Access",
                       "label":"Wired & Wireless Access",
                       "url":"https://www.juniper.net/us/en/solutions/wireless-access.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Solutions > By Industry",
                       "label":"By Industry",
                       "url":"",
                      "target" : "",
					  "style": "subtitle"
                    },
                    {   
                       "trackid": "Products & Solutions > Solutions > Cable",
                       "label":"Cable",
                       "url":"https://www.juniper.net/us/en/products.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Solutions > Federal Government ",
                       "label":"Federal Government ",
                       "url":"https://www.juniper.net/us/en/solutions/federal-government.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Solutions > Healthcare",
                       "label":"Healthcare",
                       "url":"https://www.juniper.net/us/en/solutions/healthcare.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Solutions > Telco",
                       "label":"Telco",
                       "url":"https://www.juniper.net/us/en/service-provider.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Solutions > More Solutions",
                       "label":"More Solutions",
                       "url":"https://www.juniper.net/us/en/solutions.html",
                      "target" : ""
                    }
               ]
            },
            {  
               "trackid": "Products & Solutions > Services",
               "label":"Services",
               "url":"https://www.juniper.net/us/en/services.html",
               "items":[
                  
                    {   
                       "trackid": "Products & Solutions > Services > Advisory Services",
                       "label":"Advisory Services",
                       "url":"https://www.juniper.net/us/en/services/advisory-services.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Services > Implementation Services",
                       "label":"Implementation Services",
                       "url":"https://www.juniper.net/us/en/services/implementation-services.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Services > Migration Services",
                       "label":"Migration Services",
                       "url":"https://www.juniper.net/us/en/services/migration-services.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Services > Optimization Services",
                       "label":"Optimization Services",
                       "url":"https://www.juniper.net/us/en/services/optimization-services.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Products & Solutions > Services > Support Services",
                       "label":"Support Services",
                       "url":"https://www.juniper.net/us/en/services/support-services.html",
                      "target" : ""
                    }
               ]
            }
         ]

                        },
                        {
                          
      "trackid": "Support",
      "label":"Support",
      "url":"https://support.juniper.net/support/",
      "items":[
        
            {  
               "trackid": "Support > Self-Service Tools",
               "label":"Self-Service Tools",
               "url":"",
               "items":[
                  
                    {   
                       "trackid": "Support > Self-Service Tools > Getting Started",
                       "label":"Getting Started",
                       "url":"https://www.juniper.net/us/en/up-and-running/",
                      "target" : ""
                    },
                    {   
                       "trackid": "Support > Self-Service Tools > Juniper Support Portal",
                       "label":"Juniper Support Portal",
                       "url":"https://supportportal.juniper.net",
                      "target" : "_blank"
                    },
                    {   
                       "trackid": "Support > Self-Service Tools > Product License Keys",
                       "label":"Product License Keys",
                       "url":"https://license.juniper.net/licensemanage/",
                      "target" : "_blank"
                    },
                    {   
                       "trackid": "Support > Self-Service Tools > Product Entitlement Search",
                       "label":"Product Entitlement Search",
                       "url":"https://entitlementsearch.juniper.net/entitlementsearch/",
                      "target" : "_blank"
                    },
                    {   
                       "trackid": "Support > Self-Service Tools > Update Install Base",
                       "label":"Update Install Base",
                       "url":"https://supportportal.juniper.net",
                      "target" : ""
                    },
                    {   
                       "trackid": "Support > Self-Service Tools > Contact Support",
                       "label":"Contact Support",
                       "url":"https://support.juniper.net/support/requesting-support/",
                      "target" : ""
                    }
               ]
            },
            {  
               "trackid": "Support > Downloads",
               "label":"Downloads",
               "url":"https://support.juniper.net/support/downloads/",
               "items":[
                  
                    {   
                       "trackid": "Support > Downloads > EX Series",
                       "label":"EX Series",
                       "url":"https://support.juniper.net/support/downloads/?f=ex",
                      "target" : ""
                    },
                    {   
                       "trackid": "Support > Downloads > MX Series",
                       "label":"MX Series",
                       "url":"https://support.juniper.net/support/downloads/?f=mx",
                      "target" : ""
                    },
                    {   
                       "trackid": "Support > Downloads > PTX Series",
                       "label":"PTX Series",
                       "url":"https://support.juniper.net/support/downloads/?f=ptx",
                      "target" : ""
                    },
                    {   
                       "trackid": "Support > Downloads > QFX Series",
                       "label":"QFX Series",
                       "url":"https://support.juniper.net/support/downloads/?f=qfx",
                      "target" : ""
                    },
                    {   
                       "trackid": "Support > Downloads > SRX Series",
                       "label":"SRX Series",
                       "url":"https://support.juniper.net/support/downloads/?f=srx",
                      "target" : ""
                    },
                    {   
                       "trackid": "Support > Downloads > Junos Space",
                       "label":"Junos Space",
                       "url":"https://support.juniper.net/support/downloads/?f=space",
                      "target" : ""
                    },
                    {   
                       "trackid": "Support > Downloads > SSG Series",
                       "label":"SSG Series",
                       "url":"https://support.juniper.net/support/downloads/?f=ssg",
                      "target" : ""
                    }
               ]
            },
            {  
               "trackid": "Support > Documentation",
               "label":"Documentation",
               "url":"",
               "items":[
                  
                    {   
                       "trackid": "Support > Documentation > Knowledge Base",
                       "label":"Knowledge Base",
                       "url":"https://kb.juniper.net/InfoCenter/index?page=home",
                      "target" : ""
                    },
                    {   
                       "trackid": "Support > Documentation > TechLibrary",
                       "label":"TechLibrary",
                       "url":"https://www.juniper.net/documentation/",
                      "target" : ""
                    },
                    {   
                       "trackid": "Support > Documentation > Problem Report Search",
                       "label":"Problem Report Search",
                       "url":"https://prsearch.juniper.net/InfoCenter/index?page=prsearch",
                      "target" : "_blank"
                    },
                    {   
                       "trackid": "Support > Documentation > Pathfinder",
                       "label":"Pathfinder",
                       "url":"https://apps.juniper.net/home/",
                      "target" : "_blank"
                    },
                    {   
                       "trackid": "Support > Documentation > Community",
                       "label":"Community",
                       "url":"https://forums.juniper.net/",
                      "target" : "_blank"
                    },
                    {   
                       "trackid": "Support > Documentation > Security Intelligence",
                       "label":"Security Intelligence",
                       "url":"https://threatlabs.juniper.net/home/search/#/list/ips?page_number=1&page_size=20",
                      "target" : "_top"
                    },
                    {   
                       "trackid": "Support > Documentation > Report a Vulnerability",
                       "label":"Report a Vulnerability",
                       "url":"https://www.juniper.net/us/en/report-a-security-vulnerability.html",
                      "target" : ""
                    }
               ]
            }
         ]

                        },
                       {
                        
      "trackid": "Training",
      "label":"Training",
      "url":"https://www.juniper.net/us/en/training.html",
      "items":[
        
            {  
               "trackid": "Training > Training",
               "label":"Training",
               "url":"https://www.juniper.net/us/en/training/",
               "items":[
                  
                    {   
                       "trackid": "Training > Training > Schedule of Classes",
                       "label":"Schedule of Classes",
                       "url":"https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=JUNIPER-TRAINING-SCHEDULE-HOME",
                      "target" : "_blank"
                    },
                    {   
                       "trackid": "Training > Training > All Access Training Pass",
                       "label":"All Access Training Pass",
                       "url":"https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=ALL-ACCESS-TRAINING-PASS-HOME",
                      "target" : "_blank"
                    },
                    {   
                       "trackid": "Training > Training > On-demand Courses",
                       "label":"On-demand Courses",
                       "url":"https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=JUNIPER-ONDEMAND-TRAINING-HOME",
                      "target" : "_blank"
                    },
                    {   
                       "trackid": "Training > Training > Open Learning",
                       "label":"Open Learning",
                       "url":"https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=11478",
                      "target" : "_blank"
                    },
                    {   
                       "trackid": "Training > Training > Learning Paths",
                       "label":"Learning Paths",
                       "url":"https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=JUNIPER-LEARNING-PATHS-HOME",
                      "target" : "_blank"
                    },
                    {   
                       "trackid": "Training > Training > Getting Started",
                       "label":"Getting Started",
                       "url":"https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=FREE-JUNIPER-TRAINING-HOME",
                      "target" : "_blank"
                    }
               ]
            },
            {  
               "trackid": "Training > Certification",
               "label":"Certification",
               "url":"https://www.juniper.net/us/en/training/certification.html",
               "items":[
                  
                    {   
                       "trackid": "Training > Certification > Getting Started",
                       "label":"Getting Started",
                       "url":"https://www.juniper.net/us/en/training/certification.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Training > Certification > Certification Tracks",
                       "label":"Certification Tracks",
                       "url":"https://www.juniper.net/us/en/training/certification.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Training > Certification > Certification Resources",
                       "label":"Certification Resources",
                       "url":"https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=JUNIPER-CERTIFICATION-PROGRAM-HOME",
                      "target" : "_blank"
                    },
                    {   
                       "trackid": "Training > Certification > Exam Registration",
                       "label":"Exam Registration",
                       "url":"https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=JUNIPER-CERTIFICATION-PROGRAM-HOME",
                      "target" : ""
                    },
                    {   
                       "trackid": "Training > Certification > Recertification",
                       "label":"Recertification",
                       "url":"https://www.juniper.net/us/en/training/certification/recertification.html",
                      "target" : ""
                    },
                    {   
                       "trackid": "Training > Certification > Manage My Certs",
                       "label":"Manage My Certs",
                       "url":"https://www.certmetrics.com/juniper/login.aspx?ReturnUrl=%2fjuniper%2f",
                      "target" : "_blank"
                    }
               ]
            }
         ]

                       }
                      
               ],
               "countrySelector":{

                 "active":"en-us",
                 "items":[
                   
                    {
                       "label":"United States",
                       "url":"https://www.juniper.net/us/en.html",
                       "value":"en-us"
                    },
                    {
                       "label":"Brazil - Brasil",
                       "url":"https://www.juniper.net/br/pt.html",
                       "value":"pt-br"
                    },
                    {
                       "label":"China - 中国",
                       "url":"https://www.juniper.net/cn/zh.html",
                       "value":"zh-cn"
                    },
                    {
                       "label":"France",
                       "url":"https://www.juniper.net/fr/fr.html",
                       "value":"fr-fr"
                    },
                    {
                       "label":"Germany - Deutschland",
                       "url":"https://www.juniper.net/de/de.html",
                       "value":"de-de"
                    },
                    {
                       "label":"Italy - Italia",
                       "url":"https://www.juniper.net/it/it.html",
                       "value":"it-it"
                    },
                    {
                       "label":"Japan - 日本",
                       "url":"https://www.juniper.net/jp/ja.html",
                       "value":"jp-jp"
                    },
                    {
                       "label":"Korea - 대한민국",
                       "url":"https://www.juniper.net/kr/ko.html",
                       "value":"kr-kr"
                    },
                    {
                       "label":"Latin America",
                       "url":"https://www.juniper.net/mx/es.html",
                       "value":"es-mx"
                    },
                    {
                       "label":"Russia - Россия",
                       "url":"https://www.juniper.net/ru/ru.html",
                       "value":"ru-ru"
                    },
                    {
                       "label":"Spain - España",
                       "url":"https://www.juniper.net/es/es.html",
                       "value":"es-es"
                    },
                    {
                       "label":"The Netherlands",
                       "url":"https://www.juniper.net/nl/nl.html",
                       "value":"nl-nl"
                    },
                    {
                       "label":"United Kingdom",
                       "url":"https://www.juniper.net/gb/en.html",
                       "value":"en-uk"
                    }
                 ]
               },
               "account":{
               
               "signedInState":true,
               "signInUrl":"https://www.juniper.net/utils/secure/login.html",
               "signIntrackid":"signIn",
               "signOutUrl":"/search/logout.page",
               "signOuttrackid":"signOut",
               "accountName":"John Doe",
               "accountType":"My Account",
               "accountLinks":[
               
                {
                   "label":"Access Partner Center",
                   "url":"https://partners.juniper.net/partnercenter/index.page"
                },
                {
                   "label":"Edit Account Information",
                   "url":"https://userregistration.juniper.net/entitlement/editAcctInfo.do"
                },
                {
                   "label":"Register a new product",
                   "url":"https://www.juniper.net/svcreg/SRegSerialNum.jsp"
                },
                {
                   "label":"Create an Account",
                   "url":"https://userregistration.juniper.net/entitlement/setupAccountInfo.do"
                }
               ]
               },
               "l10n":{
               "logInLabel":"Log In",
               "logOutLabel":"Log Out",
               "countrySelector":"Country",
               "searchPlaceholder":"Search Juniper.net",
               "search":"Search",
               "skipNavLabel":"Skip main navigation",
               "backLabel":"Back"
               },
               "contact":
               {
               "label":"Contact Us",
               "url":"https://www.juniper.net/us/en/company/contact-us.html",
               "trackid": "contactus"
               },
               "navPromo":
               {
               "label":"Offers and Trials",
               "url":"https://www.juniper.net/us/en/forms/apstra-free-trial.html",
               "trackid": "promo nav"
               }
             }
          </script>
</sw-primary-nav>


			<div id="main-wrap" class="">
				<div id="change_wrap_div">
<div id="stuning-header">
	<div class="dfd-stuning-header-bg-container" style=" background-color: #ffffff; background-image: url(https://blogs.juniper.net/wp-content/uploads/2020/01/Juniper-Networks-518251288-GREEN.jpg);background-position: center top;background-size: initial;background-attachment: fixed;">
			</div>
	<div class="stuning-header-inner">
		<div class="row">
			<div class="twelve columns">
				<div class="page-title-inner  page-title-inner-bgcheck text-center"  style="height: 320px">
					<div class="page-title-inner-wrap">
																			<h1 class="page-title">
								Linux Servers Hijacked to Implant SSH Backdoor							</h1>
																													</div>
					<div id="breadcrumbs simple" class="breadcrumbs"><nav><span><a href="https://blogs.juniper.net/">Home</a> / <span><a href="https://blogs.juniper.net/threat-research">Threat Research</a> / <span class="breadcrumb_last" aria-current="page">Linux Servers Hijacked to Implant SSH Backdoor</span></span></span></nav></div>									</div>
			</div>
		</div>
	</div>
</div>

<!-- Prev/Next pagination -->
<section id="layout" class="single-post dfd-equal-height-children">
	<div class="single-post dfd-single-layout- row dfd-single-style-advanced">

		<div class="blog-section sidebar-right"><section id="main-content" role="main" class="nine dfd-eq-height dfd-blog-standard columns">

<article class="post-24414 post type-post status-publish format-standard has-post-thumbnail hentry category-threat-research">
	<div class="dfd-single-post-heading">
					<div class="dfd-news-categories">
							</div>
			<div class="dfd-blog-title">Linux Servers Hijacked to Implant SSH Backdoor</div>
							<div class="entry-meta meta-bottom">
	<span class="entry-date">April 26, 2021</span>	<div class="meta-author">
	<span class="before-author">by</span>

	<span class="byline author vcard">
	<a href="https://blogs.juniper.net/author/langton" title="Posts by Asher Langton" class="author url fn" rel="author">Asher Langton</a>	</span>
	</div>

	
	</div>
			</div>
	<div class="entry-content">

		<p><span data-contrast="auto"><img loading="lazy" class="aligncenter size-full wp-image-24441" src="https://blogs.juniper.net/wp-content/uploads/2021/04/210226_DIGITAL_ControlWebPanelThreatLabs-v1.png" alt="" width="831" height="464" srcset="https://blogs.juniper.net/wp-content/uploads/2021/04/210226_DIGITAL_ControlWebPanelThreatLabs-v1.png 831w, https://blogs.juniper.net/wp-content/uploads/2021/04/210226_DIGITAL_ControlWebPanelThreatLabs-v1-300x168.png 300w, https://blogs.juniper.net/wp-content/uploads/2021/04/210226_DIGITAL_ControlWebPanelThreatLabs-v1-768x429.png 768w" sizes="(max-width: 831px) 100vw, 831px" /></span></p>
<p><span data-contrast="auto">O</span><span data-contrast="auto">n February</span><span data-contrast="auto"> 1</span><span data-contrast="auto">st</span><span data-contrast="auto">,</span><span data-contrast="auto"> Juniper Threat Labs </span><span data-contrast="auto">observed an</span> <span data-contrast="auto">attack that</span><span data-contrast="auto"> attempt</span><span data-contrast="auto">ed</span><span data-contrast="auto"> to i</span><span data-contrast="auto">nject </span><span data-contrast="auto">malicious code in</span><span data-contrast="auto">to</span> <a href="https://en.wikipedia.org/wiki/Secure_Shell_Protocol"><span data-contrast="none">Secure Shell (SSH)</span></a> <span data-contrast="auto">servers on Linux. The attack begins with an exploit </span><span data-contrast="auto">against the </span><a href="https://control-webpanel.com/"><span data-contrast="none">C</span><span data-contrast="none">ontrol </span><span data-contrast="none">Web Panel</span></a> <span data-contrast="auto">(CWP, formerly known as Centos Web Panel) </span><span data-contrast="auto">server administration web application, </span><span data-contrast="auto">injects code via </span><a href="https://jvns.ca/blog/2014/11/27/ld-preload-is-super-fun-and-easy/"><span data-contrast="none">LD_PRELOAD</span></a><span data-contrast="auto">, and uses a custom, encrypted binary command-and-co</span><span data-contrast="auto">ntrol protocol to exfiltrate credentials and machine capabilities.</span> <span data-contrast="auto">As of this writing, the malware command-and-control server is still active.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<figure id="attachment_24415" class="thumbnail wp-caption aligncenter" style="width: 441px"><img loading="lazy" class="size-full wp-image-24415" src="https://blogs.juniper.net/wp-content/uploads/2021/04/image1.png" alt="Diagram showing progression of attack from CWP exploit to installation to exfiltration." width="441" height="208" srcset="https://blogs.juniper.net/wp-content/uploads/2021/04/image1.png 441w, https://blogs.juniper.net/wp-content/uploads/2021/04/image1-300x141.png 300w" sizes="(max-width: 441px) 100vw, 441px" /><figcaption class="caption wp-caption-text">Figure 1. Attack chain</figcaption></figure>
<h2><span data-contrast="none">Exploit</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"> </span></h2>
<p><span data-contrast="auto">Th</span><span data-contrast="auto">e</span><span data-contrast="auto"> attack starts with a command</span> <span data-contrast="auto">injection against Control Web Panel:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<figure id="attachment_24416" class="thumbnail wp-caption aligncenter" style="width: 1024px"><img loading="lazy" class="wp-image-24416 size-large" src="https://blogs.juniper.net/wp-content/uploads/2021/04/image2-e1618958060233-1024x142.png" alt="Text of malicious POST request" width="1024" height="142" srcset="https://blogs.juniper.net/wp-content/uploads/2021/04/image2-e1618958060233-1024x142.png 1024w, https://blogs.juniper.net/wp-content/uploads/2021/04/image2-e1618958060233-300x42.png 300w, https://blogs.juniper.net/wp-content/uploads/2021/04/image2-e1618958060233-768x107.png 768w, https://blogs.juniper.net/wp-content/uploads/2021/04/image2-e1618958060233-1536x214.png 1536w, https://blogs.juniper.net/wp-content/uploads/2021/04/image2-e1618958060233.png 1826w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="caption wp-caption-text">Figure 2. HTTP request from initial attack</figcaption></figure>
<p><span data-contrast="auto">CWP has been plagued by security issues, including</span> <a href="https://www.zerodayinitiative.com/advisories/published/2020/"><span data-contrast="none">37 0-day vulnerabilities disclosed by the Zero Day Initiative in 2020</span></a><span data-contrast="auto">. Among these is a </span><a href="https://www.zerodayinitiative.com/advisories/ZDI-20-758/"><span data-contrast="none">failure to </span><span data-contrast="none">sanitize the service_restart paramet</span><span data-contrast="none">er</span></a><span data-contrast="auto">, which follows </span><a href="https://www.exploit-db.com/exploits/45610"><span data-contrast="none">a similar set of vulnerabilities</span></a><span data-contrast="auto"> in 2018</span><span data-contrast="auto">.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">Because of the number of vulnerabilities </span><span data-contrast="auto">in CWP, the </span><span data-contrast="auto">intentional encryption and obfuscation of the</span><span data-contrast="auto">ir</span><span data-contrast="auto"> source code </span><a href="http://forum.centos-webpanel.com/index.php?topic=4130.0"><span data-contrast="none">ostensibly</span><span data-contrast="none"> f</span><span data-contrast="none">or security reasons</span></a><span data-contrast="auto">, and </span><span data-contrast="auto">CWP</span><span data-contrast="auto">’s failure to respond to ZDI’s recent disclosures, </span><span data-contrast="auto">it is difficult to ascertain which versions of CWP are or remain vulnerable to this attack. </span><span data-contrast="auto">In 2020, there were over </span><a href="https://zero.bs/sb-2022-multiple-rce-and-sqli-in-centos-web-panel-cwp.html"><span data-contrast="none">215k CWP installations</span></a><span data-contrast="auto"> accessible from the open internet, so the </span><span data-contrast="auto">number of computers compromised in this campaign may be substantial. </span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<h2><span data-contrast="none">Installation</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"> </span></h2>
<p><span data-contrast="auto">On successful exploitation of the </span><span data-contrast="auto">web panel, the following commands are executed.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<figure id="attachment_24417" class="thumbnail wp-caption aligncenter" style="width: 872px"><img loading="lazy" class="size-full wp-image-24417" src="https://blogs.juniper.net/wp-content/uploads/2021/04/image3.png" alt="" width="872" height="346" srcset="https://blogs.juniper.net/wp-content/uploads/2021/04/image3.png 872w, https://blogs.juniper.net/wp-content/uploads/2021/04/image3-300x119.png 300w, https://blogs.juniper.net/wp-content/uploads/2021/04/image3-768x305.png 768w" sizes="(max-width: 872px) 100vw, 872px" /><figcaption class="caption wp-caption-text">Figure 3. Commands executed via CWP exploit</figcaption></figure>
<p><span data-contrast="auto">First, the “sshins” installer binary is retrieved, executed, and deleted</span><span data-contrast="auto">. Then the CWP logs are wiped of any mention of sshins and the shell history is cleared. </span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">The sshins binary is a 64-bit Linux ELF executable. It is packed with </span><a href="https://upx.github.io/"><span data-contrast="none">UPX</span></a><span data-contrast="auto"> and t</span><span data-contrast="auto">he </span><span data-contrast="auto">packed </span><span data-contrast="auto">file has garbage bytes appended</span><span data-contrast="auto"> to it</span><span data-contrast="auto"> in an attempt to hinder </span><span data-contrast="auto">automated unpacking. </span><span data-contrast="auto">It does 3 things:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<ol>
<li data-leveltext="%1." data-font="ＭＳ 明朝" data-listid="5" data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">Drops a Linux shared library to an architecture-specific location (in this case, /lib64/libs.so).</span><span data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
</ol>
<ol>
<li data-leveltext="%1." data-font="" data-listid="5" data-aria-posinset="2" data-aria-level="1"><span data-contrast="auto">Writes the name of the dropped file to a text file at /etc/ld.so.preload</span><span data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
</ol>
<ol>
<li data-leveltext="%1." data-font="" data-listid="5" data-aria-posinset="3" data-aria-level="1"><span data-contrast="auto">Restarts the OpenSSH service.</span><span data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></li>
</ol>
<figure id="attachment_24418" class="thumbnail wp-caption aligncenter" style="width: 686px"><img loading="lazy" class="size-full wp-image-24418" src="https://blogs.juniper.net/wp-content/uploads/2021/04/image4.png" alt="" width="686" height="272" srcset="https://blogs.juniper.net/wp-content/uploads/2021/04/image4.png 686w, https://blogs.juniper.net/wp-content/uploads/2021/04/image4-300x119.png 300w" sizes="(max-width: 686px) 100vw, 686px" /><figcaption class="caption wp-caption-text">Figure 4. Console output from the installer</figcaption></figure>
<h2><span data-contrast="none">Hijacking the OpenSSH server process</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"> </span></h2>
<h3><span data-contrast="none">Injecting the malicious code</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"> </span></h3>
<p><span data-contrast="auto">The file /etc/ld.so.preload </span><span data-contrast="auto">contains</span><span data-contrast="auto"> a directive to the </span><a href="https://man7.org/linux/man-pages/man8/ld.so.8.html"><span data-contrast="none">dynamic linker</span></a><span data-contrast="auto"> telling it to load </span><span data-contrast="auto">the specified</span> <span data-contrast="auto">shared library </span><span data-contrast="auto">first</span><span data-contrast="auto">, and to give precedence to the exported functions from the ld-preloaded library</span><span data-contrast="auto">. Because the malicious libs.so library exports its own version of the </span><a href="https://man7.org/linux/man-pages/man2/bind.2.html"><span data-contrast="none">bind</span><span data-contrast="none">()</span></a><span data-contrast="auto"> function, </span><span data-contrast="auto">applications will use the backdoored version of this function instead of the standard implementation from </span><span data-contrast="auto">Linux system libraries</span><span data-contrast="auto">.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">When the Open-SSH server daemon </span><span data-contrast="auto">(</span><span data-contrast="auto">sshd</span><span data-contrast="auto">)</span><span data-contrast="auto"> restarts, </span><span data-contrast="auto">libs.so will first execute an initialization function </span><span data-contrast="auto">as the library</span><span data-contrast="auto"> is loaded, and then has the ability to inject its own code whenever sshd calls bind(). </span><span data-contrast="auto">The sshd</span><span data-contrast="auto"> server</span><span data-contrast="auto"> processes use this hook in order to periodically beacon to the command-and-control (C2) server and </span><span data-contrast="auto">to </span><span data-contrast="auto">exfiltrate data</span><span data-contrast="auto">, including a listing of system information such as CPU </span><span data-contrast="auto">and OS </span><span data-contrast="auto">details</span><span data-contrast="auto">,</span> <span data-contrast="auto">amount of RAM,</span> <span data-contrast="auto">available disk space</span><span data-contrast="auto">, and OpenSSH configuration</span><span data-contrast="auto">:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<figure id="attachment_24419" class="thumbnail wp-caption aligncenter" style="width: 1024px"><img loading="lazy" class="wp-image-24419 size-large" src="https://blogs.juniper.net/wp-content/uploads/2021/04/image5-e1618958725604-1024x939.png" alt="" width="1024" height="939" srcset="https://blogs.juniper.net/wp-content/uploads/2021/04/image5-e1618958725604-1024x939.png 1024w, https://blogs.juniper.net/wp-content/uploads/2021/04/image5-e1618958725604-300x275.png 300w, https://blogs.juniper.net/wp-content/uploads/2021/04/image5-e1618958725604-768x704.png 768w, https://blogs.juniper.net/wp-content/uploads/2021/04/image5-e1618958725604.png 1532w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="caption wp-caption-text">Figure 5. Strings from the disassembled library indicating data to be exfiltrated.</figcaption></figure>
<p><span data-contrast="auto">In addition</span><span data-contrast="auto"> to the continuously-ru</span><span data-contrast="auto">nning server processes</span><span data-contrast="auto">, sshd</span> <a href="https://man7.org/linux/man-pages/man2/fork.2.html"><span data-contrast="none">forks()</span></a><span data-contrast="auto"> a </span><span data-contrast="auto">pair of new process</span><span data-contrast="auto">es</span><span data-contrast="auto"> to handle each login connection</span><span data-contrast="auto">. From these session-specific processes, th</span><span data-contrast="auto">e malicious bind() function </span><span data-contrast="auto">launches</span><span data-contrast="auto"> an additional </span><span data-contrast="auto">temporary </span><span data-contrast="auto">sshd process that exfiltrates the incoming user’s </span><a href="http://bash.org/?244321"><span data-contrast="none">login credentials</span></a><span data-contrast="auto">.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<figure id="attachment_24420" class="thumbnail wp-caption aligncenter" style="width: 1024px"><img loading="lazy" class="size-large wp-image-24420" src="https://blogs.juniper.net/wp-content/uploads/2021/04/image6-1024x102.png" alt="" width="1024" height="102" srcset="https://blogs.juniper.net/wp-content/uploads/2021/04/image6-1024x102.png 1024w, https://blogs.juniper.net/wp-content/uploads/2021/04/image6-300x30.png 300w, https://blogs.juniper.net/wp-content/uploads/2021/04/image6-768x76.png 768w, https://blogs.juniper.net/wp-content/uploads/2021/04/image6.png 1298w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="caption wp-caption-text">Figure 6. User credentials and computer identifier exfiltrated by the malware.</figcaption></figure>
<h3><span data-contrast="none">C2 communication</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"> </span></h3>
<p><span data-contrast="auto">The </span><span data-contrast="auto">C2 communication involves the server </span><span data-contrast="auto">176[.]111.174.26</span><span data-contrast="auto"> on port 443. </span><span data-contrast="auto">Port 443 is typically used for HTTPS but here the traffic is raw TCP</span><span data-contrast="auto">, hiding in plain sight on a common port. </span><span data-contrast="auto">The server has a Russian IP address</span><span data-contrast="auto"> that is associated with a Bulgarian webhosting provider.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">The client initiates</span> <span data-contrast="auto">communication with a simple </span><span data-contrast="auto">directive</span><span data-contrast="auto">, padded out to 8 bytes. (As we’ll discuss below, the malware uses an encryption algorithm with an </span><span data-contrast="auto">8-byte</span><span data-contrast="auto"> block size, but </span><span data-contrast="auto">even unencrypted messages are always a multiple of 8 in </span><span data-contrast="auto">length</span><span data-contrast="auto">.)</span><span data-contrast="auto"> Following is the first packet sent to the server after the TCP handshake, with the </span><span data-contrast="auto">8-byte</span><span data-contrast="auto"> message highlighted.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<figure id="attachment_24421" class="thumbnail wp-caption aligncenter" style="width: 1024px"><img loading="lazy" class="wp-image-24421 size-large" src="https://blogs.juniper.net/wp-content/uploads/2021/04/image7-e1618958767346-1024x142.png" alt="" width="1024" height="142" srcset="https://blogs.juniper.net/wp-content/uploads/2021/04/image7-e1618958767346-1024x142.png 1024w, https://blogs.juniper.net/wp-content/uploads/2021/04/image7-e1618958767346-300x42.png 300w, https://blogs.juniper.net/wp-content/uploads/2021/04/image7-e1618958767346-768x107.png 768w, https://blogs.juniper.net/wp-content/uploads/2021/04/image7-e1618958767346.png 1168w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="caption wp-caption-text">Figure 7. Initial TCP packet to C2 server, with payload highlighted.</figcaption></figure>
<p><span data-contrast="auto">The C2 server replies with the following</span><span data-contrast="auto"> message (TCP packet omitted for clarity)</span><span data-contrast="auto">:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<figure id="attachment_24422" class="thumbnail wp-caption aligncenter" style="width: 1024px"><img loading="lazy" class="size-large wp-image-24422" src="https://blogs.juniper.net/wp-content/uploads/2021/04/image8-1024x345.png" alt="" width="1024" height="345" srcset="https://blogs.juniper.net/wp-content/uploads/2021/04/image8-1024x345.png 1024w, https://blogs.juniper.net/wp-content/uploads/2021/04/image8-300x101.png 300w, https://blogs.juniper.net/wp-content/uploads/2021/04/image8-768x259.png 768w, https://blogs.juniper.net/wp-content/uploads/2021/04/image8.png 1158w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="caption wp-caption-text">Figure 8. Server response.</figcaption></figure>
<p><span data-contrast="auto">The response consists of a header with the payload length (24 bytes), a command (0x0201), and the </span><a href="https://en.wikipedia.org/wiki/Cyclic_redundancy_check"><span data-contrast="none">CRC32 checksum</span></a><span data-contrast="auto"> of the payload. </span><span data-contrast="auto">The </span><span data-contrast="auto">24-byte</span><span data-contrast="auto"> payload is used to encrypt the exfiltrated data</span><span data-contrast="auto"> that</span><span data-contrast="auto"> i</span><span data-contrast="auto">s then sent </span><span data-contrast="auto">back </span><span data-contrast="auto">to the C2 server</span><span data-contrast="auto">, as we’ll see in the next section.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<h3><span data-contrast="none">Cryptography</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"> </span></h3>
<p><span data-contrast="auto">Data sent back to the C2 server is encrypted using a variant of the </span><a href="https://www.schneier.com/academic/blowfish/"><span data-contrast="none">Blowfish encryption algorithm</span></a> <span data-contrast="auto">that was </span><span data-contrast="auto">used to </span><a href="https://www.akkit.org/info/gbatek.htm#dsencryptionbygamecodeidcodekey1"><span data-contrast="none">secure game assets on the Nin</span><span data-contrast="none">tendo</span></a> <span data-contrast="auto">and</span><span data-contrast="auto">, more recently, </span><a href="https://sudonull.com/post/7577-We-solve-crackme-from-Kaspersky-Lab"><span data-contrast="none">incorp</span><span data-contrast="none">o</span><span data-contrast="none">rated into </span><span data-contrast="none">a reverse-engineering challenge from Kaspersky Lab</span></a><span data-contrast="auto">. </span><span data-contrast="auto">Below is publicly available encryption code </span><span data-contrast="auto">that </span><span data-contrast="auto">was</span> <span data-contrast="auto">reverse-engineered from the </span><span data-contrast="auto">DS</span><span data-contrast="auto">:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<figure id="attachment_24423" class="thumbnail wp-caption aligncenter" style="width: 782px"><img loading="lazy" class="size-full wp-image-24423" src="https://blogs.juniper.net/wp-content/uploads/2021/04/image9.png" alt="" width="782" height="990" srcset="https://blogs.juniper.net/wp-content/uploads/2021/04/image9.png 782w, https://blogs.juniper.net/wp-content/uploads/2021/04/image9-237x300.png 237w, https://blogs.juniper.net/wp-content/uploads/2021/04/image9-768x972.png 768w" sizes="(max-width: 782px) 100vw, 782px" /><figcaption class="caption wp-caption-text">Figure 9. Reverse-engineered Nintendo DS encryption routine, from https://github.com/RocketRobz/NTR_Launcher_3D/blob/master/twlnand-side/BootLoader/source/encryption.c.</figcaption></figure>
<p><span data-contrast="auto">Then we have the decompiled encryption routine from the preloaded library:</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<figure id="attachment_24424" class="thumbnail wp-caption aligncenter" style="width: 1024px"><img loading="lazy" class="wp-image-24424 size-large" src="https://blogs.juniper.net/wp-content/uploads/2021/04/image10-e1618958822917-1024x704.png" alt="" width="1024" height="704" srcset="https://blogs.juniper.net/wp-content/uploads/2021/04/image10-e1618958822917-1024x704.png 1024w, https://blogs.juniper.net/wp-content/uploads/2021/04/image10-e1618958822917-300x206.png 300w, https://blogs.juniper.net/wp-content/uploads/2021/04/image10-e1618958822917-768x528.png 768w, https://blogs.juniper.net/wp-content/uploads/2021/04/image10-e1618958822917.png 1419w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="caption wp-caption-text">Figure 10. Corresponding encryption routine from the malware.</figcaption></figure>
<p><span data-contrast="auto">Note, in particular, the use of the constants </span><span data-contrast="auto">0x12, 0x112, 0x212, and 0x312</span><span data-contrast="auto">,</span><span data-contrast="auto"> which differs from the standard Blowfish implementation. </span><span data-contrast="auto">(</span><span data-contrast="auto">The decom</span><span data-contrast="auto">piled code is functionally identical to the Gameboy routine, </span><span data-contrast="auto">differing only due to </span><a href="https://en.wikipedia.org/wiki/Loop_unrolling"><span data-contrast="none">loop-unrolling</span></a> <span data-contrast="auto">and other compiler optimizations</span><span data-contrast="auto">.</span><span data-contrast="auto">)</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">While the underlying encryption routine is taken directly from </span><a href="https://github.com/RocketRobz/NTR_Launcher_3D/blob/master/twlnand-side/BootLoader/source/encryption.c"><span data-contrast="none">publicly available code</span></a><span data-contrast="auto">, </span><span data-contrast="auto">the malware authors incorporate some additional tricks to thwart analysis and decryption. </span><span data-contrast="auto">Both Blowfish and the Nintendo variant require a</span><span data-contrast="auto">n</span> <a href="https://en.wikipedia.org/wiki/S-box"><span data-contrast="none">S-box</span></a><span data-contrast="auto"> lookup table </span><span data-contrast="auto">that remains constant throughout the encryption and decryption processes. </span><span data-contrast="auto">But u</span><span data-contrast="auto">nlike the Nintendo implementation</span><span data-contrast="auto">, </span><span data-contrast="auto">the malware mutate</span><span data-contrast="auto">s</span> <span data-contrast="auto">its</span><span data-contrast="auto"> S-box </span><span data-contrast="auto">prior to use. First, as the table is loaded from program memory, it is subject to several static transformations that make it harder to correlate the stored table with the one used for encryption. </span><span data-contrast="auto">Then</span><span data-contrast="auto"> the encryption algorithm is run against portions of its own S-box</span><span data-contrast="auto">, transforming it at each step. This process is initialized using part of the </span><span data-contrast="auto">24-byte</span><span data-contrast="auto"> payload received from the C2 server.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">Once the table has been fixed, the actual encryption begins. </span><span data-contrast="auto">T</span><span data-contrast="auto">he malware </span><span data-contrast="auto">improves upon</span><span data-contrast="auto"> the Nintendo</span> <span data-contrast="auto">implementation by adding</span> <a href="https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_block_chaining_(CBC)"><span data-contrast="none">cipher-block chaining</span><span data-contrast="none"> (CBC)</span></a><span data-contrast="auto">. With </span><span data-contrast="auto">CBC, each </span><span data-contrast="auto">8-byte</span><span data-contrast="auto"> plaintext block is </span><span data-contrast="auto">first </span><span data-contrast="auto">XOR</span><span data-contrast="auto">e</span><span data-contrast="auto">d </span><span data-contrast="auto">against the encrypted output from the previous block, and then that value is encrypted. The result is a chain</span><span data-contrast="auto"> where the </span><span data-contrast="auto">encrypted value of each block depends on the value of the previous block. To start this process, the first block is XORed </span><span data-contrast="auto">against an </span><a href="https://en.wikipedia.org/wiki/Initialization_vector"><span data-contrast="none">initialization vector</span><span data-contrast="none"> (IV)</span></a><span data-contrast="auto">. </span><span data-contrast="auto">Here,</span><span data-contrast="auto"> the IV is itself the XOR of the first and last 8 bytes of the payload from the C2 server.</span><span data-contrast="auto"> </span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">Without CBC, a symmetric encryption algorith</span><span data-contrast="auto">m</span><span data-contrast="auto"> is vulnerable to </span><a href="https://en.wikipedia.org/wiki/Frequency_analysis"><span data-contrast="none">frequency analysis</span></a> <span data-contrast="auto">when the block size is small</span> <span data-contrast="auto">as well as</span> <a href="https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#ECB"><span data-contrast="none">other attacks</span></a><span data-contrast="auto"> in the general case.</span> <span data-contrast="auto">It appears that</span><span data-contrast="auto"> t</span><span data-contrast="auto">he</span><span data-contrast="auto"> authors of this malware </span><span data-contrast="auto">went to a surprising amount of trouble to</span><span data-contrast="auto"> strengthen the Nintendo DS encryption, in stark contrast to the noisy behavior of the</span><span data-contrast="auto">ir sshins</span><span data-contrast="auto"> installer.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<h2><span data-contrast="none">Conclusion</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"> </span></h2>
<p><span data-contrast="auto">Without allowing </span><span data-contrast="auto">our</span><span data-contrast="auto"> compromised </span><span data-contrast="auto">test </span><span data-contrast="auto">machine to remain connected to the internet and </span><span data-contrast="auto">be used for malicious purposes</span><span data-contrast="auto">, it’s </span><span data-contrast="auto">difficult to ascertain the exact motivations of the </span><span data-contrast="auto">authors. </span><span data-contrast="auto">But because the malware catalogs</span><span data-contrast="auto"> detailed system information and credentials but does not immediately begin mining cryptocurrency or amplifying the attack by attempting to spread further, </span><span data-contrast="auto">we suspect that access to the compromised machines will be sold or rented as part of a botnet.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<h2><span data-contrast="none">Detection</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"> </span></h2>
<p><span data-contrast="auto">The malware and C2 server used in this campaign are detected and blocked by </span><span data-contrast="auto">Juniper </span><span data-contrast="auto">ATP</span><span data-contrast="auto"> and Juniper ATP Cloud, and the malicious traffic is detected by the IDP rule SSL:VULN:CWP-LINUX-C2-BACKDOR.</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><br />
</span></p>
<figure id="attachment_24425" class="thumbnail wp-caption aligncenter" style="width: 1024px"><img loading="lazy" class="size-large wp-image-24425" src="https://blogs.juniper.net/wp-content/uploads/2021/04/image11-1024x126.png" alt="" width="1024" height="126" srcset="https://blogs.juniper.net/wp-content/uploads/2021/04/image11-1024x126.png 1024w, https://blogs.juniper.net/wp-content/uploads/2021/04/image11-300x37.png 300w, https://blogs.juniper.net/wp-content/uploads/2021/04/image11-768x94.png 768w, https://blogs.juniper.net/wp-content/uploads/2021/04/image11.png 1100w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="caption wp-caption-text">Figure 11. Detection on Juniper ATP Cloud</figcaption></figure>
<h2><span data-contrast="none">IOCs</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"> </span></h2>
<p><span data-contrast="auto">176[.]111.174.26    C2 server</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">ab9cc4ee82aa6f57ba2a113aab905c33e278c969399db4188d0ea5942ad3bb7d  sshins (as delivered)</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">936ca431d17d738beab9735a3d6e658ff29f8337f52353fd60e286c94dd2c06b  sshins (unpacked by UPX, after deleting appended data)</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">c8df513e9e4848e35af5246a2ba797540b68a9379a1df17e34550cb0258960e8  sshins (manually unpacked)</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">f51e83a53dd3a364709b1d0b93489f7a114b529268c3bab726ed288eba036bca  /lib64/libs.so </span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">948b6c5fc1ba74ed57388241d1e8656e0ca082d10ff834c628d01c592764926d  /lib64/libs.so</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">56ce53b6c32beacd8864258c81bf276304a8da20bc0011f5e09d37b95a3e5def  /lib64/libs.so</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-contrast="auto">b5e29bdb105ae0e76d75c3d3959954c4f6610cd39aaa8f3aa852dd624e662480  /etc/ld.so.preload</span><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>
<p><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> </span></p>

	</div>
	
</article>


<div class="dfd-share-cover dfd-read-share ">
	<div class="dfd-blog-share-popup-wrap" data-directory="https://blogs.juniper.net/wp-content/themes/dfd-ronneby" data-url="https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor" data-text="Share" data-title="Share">
	<div class="box">
		<div class="dfd-share-icons">
			<ul class="rrssb-buttons">
				<li class="rrssb-facebook facebook soc_icon-facebook">
					<!--  Replace with your URL. For best results, make sure you page has the proper FB Open Graph tags in header: -->
					<a name="share-facebook" href="https://www.facebook.com/sharer/sharer.php?u=https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor" class="popup" target="_blank"></a>
				</li>
				<li class="rrssb-linkedin linkedin soc_icon-linkedin">
					<!-- Replace href with your meta and URL information -->
					<a name="share-linkedin" href="http://www.linkedin.com/shareArticle?mini=true&amp;url=https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor" class="popup" target="_blank"></a>
				</li>
				<li class="rrssb-twitter twitter soc_icon-twitter-3">
					<!-- Replace href with your Meta and URL information  -->
					<a name="share-twitter" href="https://twitter.com/intent/tweet?text=https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor" class="popup" target="_blank"></a>
				</li>
<!--?php echo $cat ?-->
				<li class="rrssb-rss rss soc_icon-rss">
					<!-- Replace href with your meta and URL information -->
					<a name="share-rss" href="/threat-research/feed/" target="_blank"></a>
				</li>
				<li class="rrssb-mail mail soc_icon-mail">
					<!-- Replace href with your meta and URL information -->
					<a name="share-email" href="mailto:?subject=Linux Servers Hijacked to Implant SSH Backdoor&body=https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor" class="popup" target="_blank"></a>
				</li>
			</ul>
		</div>
		<div class="dfd-share-title box-name">Share</div>
	</div>
</div>
</div>

		
	<div class="block-under-single-post">
		<div  class="vc-row-wrapper " data-parallax_sense="30"><div class="wpb_row row" >
	<div class="twelve columns vc-column-extra-class-634deb941810f" data-parallax_sense="30">
		<div class="wpb_wrapper">
			<div class="dfd-heading-shortcode"><div class="dfd-heading-module-wrap  text-left style_01 dfd-heading-634deb9418243 dfd-disable-resposive-headings" id="dfd-heading-634deb9418243" ><div class="inline-block"><div class="dfd-heading-module"><div class="widget-title dfd-title block-title" style="font-size: 16px; ">Related posts</div></div></div></div><script type="text/javascript">
									(function($) {
										$("head").append("<style>.dfd-heading-634deb9418243.dfd-heading-module-wrap .dfd-heading-module .dfd-heading-delimiter {margin-top:10px;margin-bottom:10px;}</style>");
									})(jQuery);
								</script></div>
		</div> 
	</div> 
</div><div class="dfd-row-bg-overlay" style="opacity: 0.8;"></div></div><div  class="vc-row-wrapper " data-parallax_sense="30"><div class="wpb_row row" >
	<div class="twelve columns vc-column-extra-class-634deb9418946" data-parallax_sense="30">
		<div class="wpb_wrapper">
			<div class="dfd-module-wrapper"><div class="dfd-blog-loop dfd-blog-posts-module  dfd-blog-module-634deb9418af0 default with-number-decor" id="dfd-blog-module-634deb9418af0">
	<div class="dfd-blog-wrap">
				<div class="dfd-blog dfd-blog-carousel  "  data-columns="3" data-layout-style="carousel" data-item="post" data-enable_slideshow="true" data-slideshow_speed="5000">
						<div class="post-27968 post type-post status-publish format-standard has-post-thumbnail hentry category-security category-threat-research text-left" >
					<div class="cover">
													<div class="entry-media comments-like-hover">
								<div class="entry-thumb">
									<img src="https://blogs.juniper.net/wp-content/uploads/2022/08/asbit_anchor_image-900x600.png" alt="Asbit: An Emerging Remote Desktop Trojan"/>
									
								</div>
								<div class="dfd-blog-heading-wrap"><div class="dfd-blog-title widget-title" style="font-size: 16px; "><a href="https://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan" title="Asbit: An Emerging Remote Desktop Trojan">Asbit: An Emerging Remote Desktop Trojan</a></div>		<div class="dfd-meta-wrap">
			<div class="entry-meta meta-bottom">
	<span class="entry-date">August 31, 2022</span>	<div class="meta-author">
	<span class="before-author">by</span>

	<span class="byline author vcard">
	<a href="https://blogs.juniper.net/author/paulkim" title="Posts by Paul Kimayong" class="author url fn" rel="author">Paul Kimayong</a>	</span>
	</div>

	
	</div>
		</div>
	</div>							</div>
																		</div>
				</div>
								<div class="post-27314 post type-post status-publish format-standard has-post-thumbnail hentry category-security category-threat-research text-left" >
					<div class="cover">
													<div class="entry-media comments-like-hover">
								<div class="entry-thumb">
									<img src="https://blogs.juniper.net/wp-content/uploads/2022/06/MSDT_Cover-1024x576-900x600.png" alt="CVE-2022-30190: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability"/>
									
								</div>
								<div class="dfd-blog-heading-wrap"><div class="dfd-blog-title widget-title" style="font-size: 16px; "><a href="https://blogs.juniper.net/en-us/threat-research/cve-2022-30190-microsoft-windows-support-diagnostic-tool-msdt-remote-code-execution-vulnerability" title="CVE-2022-30190: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability">CVE-2022-30190: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability</a></div>		<div class="dfd-meta-wrap">
			<div class="entry-meta meta-bottom">
	<span class="entry-date">June 8, 2022</span>	<div class="meta-author">
	<span class="before-author">by</span>

	<span class="byline author vcard">
	<a href="https://blogs.juniper.net/author/paulkim" title="Posts by Paul Kimayong" class="author url fn" rel="author">Paul Kimayong</a>	</span>
	</div>

	
	</div>
		</div>
	</div>							</div>
																		</div>
				</div>
								<div class="post-27039 post type-post status-publish format-standard has-post-thumbnail hentry category-security category-threat-research tag-botnet tag-muhstik tag-redis text-left" >
					<div class="cover">
													<div class="entry-media comments-like-hover">
								<div class="entry-thumb">
									<img src="https://blogs.juniper.net/wp-content/uploads/2022/03/220173_DIGITAL_Juniper-Threat-Labs-blog-image-830x463-v1.2-900x600.png" alt="Muhstik Gang targets Redis Servers"/>
									
								</div>
								<div class="dfd-blog-heading-wrap"><div class="dfd-blog-title widget-title" style="font-size: 16px; "><a href="https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers" title="Muhstik Gang targets Redis Servers">Muhstik Gang targets Redis Servers</a></div>		<div class="dfd-meta-wrap">
			<div class="entry-meta meta-bottom">
	<span class="entry-date">March 24, 2022</span>	<div class="meta-author">
	<span class="before-author">by</span>

	<span class="byline author vcard">
	<a href="https://blogs.juniper.net/author/paulkim" title="Posts by Paul Kimayong" class="author url fn" rel="author">Paul Kimayong</a>	</span>
	</div>

	
	</div>
		</div>
	</div>							</div>
																		</div>
				</div>
						</div>
	</div>
</div>
<script type="text/javascript">
								(function($) {$("head").append("<style>#dfd-blog-module-634deb9418af0 .dfd-read-share {border-top-style: dotted; border-bottom-style: dotted;}#dfd-blog-module-634deb9418af0.dfd-blog-loop.simple .post .cover {border-bottom-style: dotted;}#dfd-blog-module-634deb9418af0.dfd-blog-loop.with-number-decor .dfd-number-decor {style=&quot;&quot;}#dfd-blog-module-634deb9418af0 .dfd-blog {margin: -10px;}#dfd-blog-module-634deb9418af0 .dfd-blog .cover {padding: 10px;}</style>");})(jQuery);
							</script></div>
		</div> 
	</div> 
</div><div class="dfd-row-bg-overlay" style="opacity: 0.8;"></div></div>	</div>
 </section><aside class="three columns dfd-eq-height" id="right-sidebar">

    <section id="search-5" class="widget widget_search"><h3 class="widget-title">Search</h3>
<script>
function makeSearch() {

        jnprData = jnprData || {};
        jnprData.search = {

        'keyword': jQuery("input.search-query").val(),

        'type': 'Blog',

        };
        _satellite.track('BlogSearch');
        //return false;
}
</script>

<form role="search" method="get" id="searchform_634deb942dcb4" class="form-search" action="https://blogs.juniper.net/" onsubmit="return makeSearch();">
	<i class="dfdicon-header-search-icon inside-search-icon"></i>
	<input type="text" value="" name="s" id="s_634deb942dcaf" class="search-query" placeholder="Search Blogs" required>
	<input type="submit" value="Search" class="btn" >
	<i class="header-search-switcher close-search"></i>
	</form>
</section><?xml version="1.0"?>
<section id="rss-3" class="widget widget_rss Subscribe-to-blogs"><h3 class="widget-title"><a class="rrssb-rss rss soc_icon-rss subscribe-rss" target="_blank" href="https://blogs.juniper.net/feed/"></a> <a class="rsswidget" target="_blank" href="https://blogs.juniper.net/feed/">Subscribe to blogs</a></h3></section>
<section id="categories-2" class="widget widget_categories"><h3 class="widget-title">Categories</h3>
			<ul>
				<ul><li class="cat-item cat-item-1"><a href="https://blogs.juniper.net">All</a></li><li class="cat-item cat-item-6"><a href="https://blogs.juniper.net/ask-juniper">Ask Juniper</a></li><li class="cat-item cat-item-6"><a href="https://blogs.juniper.net/corporate-responsibility">Corporate Social Responsibility</a></li><li class="cat-item cat-item-6"><a href="https://blogs.juniper.net/driven-by-experience">Driven by Experience</a></li><li class="cat-item cat-item-6"><a href="https://blogs.juniper.net/engineering-simplicity">Engineering Simplicity</a></li><li class="cat-item cat-item-6"><a href="https://blogs.juniper.net/enterprise-cloud-and-transformation">Enterprise Cloud and Transformation</a></li><li class="cat-item cat-item-6"><a href="https://blogs.juniper.net/industry-solutions-and-trends">Industry Solutions and Trends</a></li><li class="cat-item cat-item-6"><a href="https://blogs.juniper.net/security">Security</a></li><li class="cat-item cat-item-6"><a href="https://blogs.juniper.net/security-incident-response">Security Incident Response</a></li><li class="cat-item cat-item-6"><a href="https://blogs.juniper.net/service-provider-transformation">Service Provider Transformation</a></li><li class="cat-item cat-item-6"><a href="https://blogs.juniper.net/threat-research">Threat Research</a></li></ul>			</ul>

			</section><?xml version="1.0"?>
<section id="iclw-2" class="widget widget_iclw widget_categories"><h3 class="widget-title">Global Blogs</h3><ul><li><a href="https://blogs.juniper.net/dutch-blog">Dutch  – Blog</a></li><li><a href="https://blogs.juniper.net/french-blog">French – Blog technique</a></li><li><a href="https://blogs.juniper.net/german-blog">German  – Blogbeiträge</a></li><li><a href="https://blogs.juniper.net/italian-blog">Italian- Blog</a></li><li><a href="https://blogs.juniper.net/japanese-blog">Japanese - ブログ（テクニカル)</a></li><li><a href="https://blogs.juniper.net/korean-blog">Korean - 기술 블로그</a></li><li><a href="https://blogs.juniper.net/portuguese-blog">Portuguese - Blog de tecnologia</a></li><li><a href="https://blogs.juniper.net/russian-blog">Russian - Технический блог</a></li><li><a href="https://blogs.juniper.net/chinese-blog">Simplified Chinese - 技术博客</a></li><li><a href="https://blogs.juniper.net/spanish-blog">Spanish – Blog de tecnología</a></li><li><a href="https://blogs.juniper.net/uk-blog">UK – Tech Blog</a></li></ul></section>


  </aside>
</div>
        
    </div>
	</section>
</div>
</div><!-- End of main-wrap div --> 
<div class="body-back-to-top align-right">
						<i class="dfd-added-font-icon-right-open"></i>
					</div>
				
					<div id="footer-wrap">

						<section id="footer">

							<meta charset="utf-8">
<sw-primary-footer>
<script type="application/json">
   {
    	"top": [ 
    		{ 
    		  "title":"Company",
    		  "items": [
					 
    				{
    				  "label": "About Us",
					  "url": "https://www.juniper.net/us/en/company.html",
                      "target": "",
                      "onclick": "jnprData=jnprData||{};jnprData.link={category: 'Footer – About Us'};_satellite.track('link_action');",
                      "trackid": "About Us"
    				}, 
    				{
    				  "label": "Careers",
					  "url": "https://www.juniper.net/us/en/company/culture-careers.html",
                      "target": "",
                      "onclick": "jnprData=jnprData||{};jnprData.link={category: 'Footer – Careers'};_satellite.track('link_action');",
                      "trackid": "Careers"
    				}, 
    				{
    				  "label": "Corporate Responsibility",
					  "url": "https://www.juniper.net/us/en/company/corporate-responsibility.html",
                      "target": "",
                      "onclick": "jnprData=jnprData||{};jnprData.link={category: 'Footer – Corporate Responsibility'};_satellite.track('link_action');",
                      "trackid": "Corporate Responsibility"
    				}, 
    				{
    				  "label": "Investor Relations",
					  "url": "https://investor.juniper.net/investor-relations/default.aspx",
                      "target": "_blank",
                      "onclick": "jnprData=jnprData||{};jnprData.link={category: 'Footer – Investor Relations'};_satellite.track('link_action');",
                      "trackid": "Investor Relations"
    				}, 
    				{
    				  "label": "Newsroom",
					  "url": "https://newsroom.juniper.net/overview/default.aspx",
                      "target": "_blank",
                      "onclick": "jnprData=jnprData||{};jnprData.link={category: 'Footer – Newsroom'};_satellite.track('link_action');",
                      "trackid": "Newsroom"
    				}, 
    				{
    				  "label": "Events",
					  "url": "https://events.juniper.net/",
                      "target": "",
                      "onclick": "",
                      "trackid": "Events"
    				}, 
    				{
    				  "label": "Contact Us",
					  "url": "https://www.juniper.net/us/en/company/contact-us.html",
                      "target": "",
                      "onclick": "jnprData=jnprData||{};jnprData.link={category: 'Footer – Contact Us'};_satellite.track('link_action');",
                      "trackid": "Contact Us"
    				}, 
    				{
    				  "label": "Image Library",
					  "url": "https://www.juniper.net/us/en/company/images.html",
                      "target": "",
                      "onclick": "",
                      "trackid": "Image Library"
    				}
					]
    		},
    		{ 
    		  "title":"Partners",
    		  "items": [
					 
    				{
    				  "label": "Partner Program",
					  "url": "https://www.juniper.net/us/en/partners.html",
                      "target": "",
                      "onclick": "jnprData=jnprData||{};jnprData.link={category: 'Footer – Partner Program'};_satellite.track('link_action');",
                      "trackid": "Partner Program"
    				}, 
    				{
    				  "label": "Find a Partner",
					  "url": "https://junipercommunity.force.com/prm/s/partnerlocator",
                      "target": "_blank",
                      "onclick": "jnprData=jnprData||{};jnprData.link={category: 'Footer – Find a Partner'};_satellite.track('link_action');",
                      "trackid": "Find a Partner"
    				}, 
    				{
    				  "label": "Find a Distributor",
					  "url": "https://junipercommunity.force.com/prm/s/distributorlocator",
                      "target": "_blank",
                      "onclick": "jnprData=jnprData||{};jnprData.link={category: 'Footer – Find a Distributor'};_satellite.track('link_action');",
                      "trackid": "Find a Distributor"
    				}, 
    				{
    				  "label": "Become a Partner ",
					  "url": "https://junipercommunity.force.com/prm/s/onboarding",
                      "target": "_blank",
                      "onclick": "jnprData=jnprData||{};jnprData.link={category: 'Footer – Become a Partner'};_satellite.track('link_action');",
                      "trackid": "Become a Partner "
    				}, 
    				{
    				  "label": "Partner Login",
					  "url": "https://partners.juniper.net/partnercenter/index.page",
                      "target": "_blank",
                      "onclick": "jnprData=jnprData||{};jnprData.link={category: 'Footer – Partner Login'};_satellite.track('link_action');",
                      "trackid": "Partner Login"
    				}
					]
    		}
				],
				
			"bottom": [	
						{
						  "label": "Contacts",
						  "url": "https://www.juniper.net/us/en/company/contact-us.html",
                          "target": "",
                          "onclick": "jnprData=jnprData||{};jnprData.link={category: 'Footer – Contacts'};_satellite.track('link_action');",
                          "trackid": "Contacts"
						},
						{
						  "label": "Feedback",
						  "url": "https://www.juniper.net/us/en/feedback.html",
                          "target": "",
                          "onclick": "jnprData=jnprData||{};jnprData.link={category: 'Footer – Feedback'};_satellite.track('link_action');",
                          "trackid": "Feedback"
						},
						{
						  "label": "Site Map",
						  "url": "https://www.juniper.net/us/en/site-map.html",
                          "target": "",
                          "onclick": "jnprData=jnprData||{};jnprData.link={category: 'Footer – Site Map'};_satellite.track('link_action');",
                          "trackid": "Site Map"
						},
						{
						  "label": "Privacy Policy",
						  "url": "https://www.juniper.net/us/en/privacy-policy.html",
                          "target": "",
                          "onclick": "jnprData=jnprData||{};jnprData.link={category: 'Footer – Privacy Policy'};_satellite.track('link_action');",
                          "trackid": "Privacy Policy"
						},
						{
						  "label": "Legal Notices",
						  "url": "https://www.juniper.net/us/en/legal-notices.html",
                          "target": "",
                          "onclick": "jnprData=jnprData||{};jnprData.link={category: 'Footer – Legal Notices'};_satellite.track('link_action');",
                          "trackid": "Legal Notices"
						},
						{
						  "label": "DMCA Policy",
						  "url": "https://www.juniper.net/us/en/legal-notices/dmca-policy.html",
                          "target": "",
                          "onclick": "",
                          "trackid": "DMCA Policy"
						}
					   ],
				
			"social": {
				"title":"Follow us",
				"items": [  
				
				  {
					"url":  "https://blogs.juniper.net/",
					"label": "Official Juniper Networks Blog",
					"icon": "https://www.juniper.net/assets/icons/social/jnpr-social-icon_blog.svg",
                    "target": "_blank",
                    "onclick": "jnprData=jnprData||{};jnprData.link={category:'Social Media – Blogs'};_satellite.track('link_action');",
                     "trackid": "Official Juniper Networks Blog"
				  },
				  {
					"url":  "https://www.facebook.com/JuniperNetworks/",
					"label": "Juniper Networks on Facebook",
					"icon": "https://www.juniper.net/assets/icons/social/jnpr-social-icon_facebook.svg",
                    "target": "_blank",
                    "onclick": "jnprData=jnprData||{};jnprData.link={category:'Social Media – Facebook'};_satellite.track('link_action');",
                     "trackid": "Juniper Networks on Facebook"
				  },
				  {
					"url":  "https://twitter.com/JuniperNetworks/",
					"label": "Juniper Networks on Twitter",
					"icon": "https://www.juniper.net/assets/icons/social/jnpr-social-icon_twitter.svg",
                    "target": "_blank",
                    "onclick": "jnprData=jnprData||{};jnprData.link={category:'Social Media – Twitter'};_satellite.track('link_action');",
                     "trackid": "Juniper Networks on Twitter"
				  },
				  {
					"url":  "https://www.youtube.com/junipernetworks",
					"label": "Juniper Networks on Youtube",
					"icon": "https://www.juniper.net/assets/icons/social/jnpr-social-icon_youtube.svg",
                    "target": "_blank",
                    "onclick": "jnprData=jnprData||{};jnprData.link={category:'Social Media – YouTube'};_satellite.track('link_action');",
                     "trackid": "Juniper Networks on Youtube"
				  },
				  {
					"url":  "https://www.linkedin.com/company/juniper-networks",
					"label": "Juniper Networks on LinkedIn",
					"icon": "https://www.juniper.net/assets/icons/social/jnpr-social-icon_linkedin.svg",
                    "target": "_blank",
                    "onclick": "jnprData=jnprData||{};jnprData.link={category:'Social Media – LinkedIn'};_satellite.track('link_action');",
                     "trackid": "Juniper Networks on LinkedIn"
				  },
				  {
					"url":  "https://www.instagram.com/junipernetworks/",
					"label": "Juniper Networks on Instagram",
					"icon": "https://www.juniper.net/assets/icons/social/jnpr-social-icon_instgram.svg",
                    "target": "_blank",
                    "onclick": "jnprData=jnprData||{};jnprData.link={category:'Social Media – Instragram'};_satellite.track('link_action');",
                     "trackid": "Juniper Networks on Instagram"
				  }
				]
			},
			
			"newsletter": {
					"title":"Get updates from Juniper",
					"action": 						
							{
						"label": "Sign up",
						"url":"https://content.juniper.net/preferences",
                        "target": "_blank",
                        "onclick": "jnprData=jnprData||{};jnprData.link={category:'Social Media – Sign Up'};_satellite.track('link_action');",
                         "trackid": "Sign up"
							}	
									
				  }, 
						
			"copyright": "© 1999 - 2022 Juniper Networks, Inc.<br /> All rights reserved"
	}
 </script>
</sw-primary-footer>



						</section>
					</div>

		<a href="#sidr-close" class="dl-trigger dfd-sidr-close"></a>

		<link rel="stylesheet" href="https://blogs.juniper.net/wp-content/plugins/js_composer/assets/css/js_composer.min.css?ver=6.0.5">
<script type='text/javascript' src='https://blogs.juniper.net/wp-content/themes/dfd-ronneby-child/assets/js/utils.js' id='my-custom-script-js'></script>
<script type='text/javascript' src='https://blogs.juniper.net/wp-includes/js/jquery/jquery.form.min.js?ver=4.3.0' id='jquery-form-js'></script>
<script type='text/javascript' src='https://www.juniper.net/assets/scripts/global-nav.js?ver=1.0' id='juniper_header_js-js'></script>
<script type='text/javascript' id='dfd_main_uncompressed-js-extra'>
/* <![CDATA[ */
var ajax_var = {"url":"https:\/\/blogs.juniper.net\/wp-admin\/admin-ajax.php","nonce":"3c5e007085"};
/* ]]> */
</script>
<script type='text/javascript' src='https://blogs.juniper.net/wp-content/themes/dfd-ronneby-child/assets/js_pub/uncompresed.js' id='dfd_main_uncompressed-js'></script>
<script type='text/javascript' src='https://blogs.juniper.net/wp-includes/js/wp-embed.min.js?ver=5.8.6' id='wp-embed-js'></script>
<script type='text/javascript' src='https://blogs.juniper.net/wp-content/plugins/js_composer/assets/js/dist/js_composer_front.min.js?ver=6.0.5' id='wpb_composer_front_js-js'></script>

<script type="text/javascript">_satellite.pageBottom();</script>	</body>
</html>


<!-- Dynamic page generated in 1.848 seconds. -->
<!-- Cached page generated by WP-Super-Cache on 2022-10-17 16:56:04 -->

<!-- super cache -->